By John Weaver
Target has agreed to pay $18.5 million to settle a lawsuit involving 47 states and the District of Columbia related to a 2013 cyberattack that affected the data privacy of more than 41 million customers. The hackers gained access to Targets customer service database, capturing full names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data from those customers.
As part of the settlement, Target and the investigating states have executed an Assurance of Voluntary Compliance, which requires Target to comply with the states’ personal information protection acts, consumer protection statutes, and security breach notification acts – which, of course, it was required to do already – as well as develop a comprehensive information security program within 180 days. The security program must segment the technologies used to store and process payment cards from the rest of its computer network and encrypt payment card information throughout the entirety of any transaction, among other required safeguards.
Target’s 2013 data breach and the resulting settlement payments (this isn’t the first) (or even the second) highlight the importance of maintaining best practices when dealing with personal data and ensuring compliance with all relevant data protection statutes. Your company should review its practices and policies regularly to ensure that they do not leave you open to a cyberattack or liability.